Re: Microsoft Malicious Software Removal Tool

I went to the link shown by Microchip and clicked on the link for pcwebtools' Spyware Doctor. I downloaded the software, ran the scan and saw that most of the spyware on my computer were from cookies - I just deleted the cookies. I uninstalled the program via "add/remove programs" and have now run into this problem....
My browser (internet explorer) has been hijacked to:

http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww

I've gone into tools> Internet Options> General & changed my webpage back to what it was before, closed the window and restarted Internet Explorer only to find that my homepage was changed back to the pcwebtools.support page. I've used Microsoft's malicious software removal tool, Ad-Aware SE Personal, & SpyBot Search & Destroy - but nothing detects any spyware or other malicious software in my computer.

Does anyone have any suggestions???

Thanks in advance-

 

Were you having Malware related issues before going to the link? If so, how long and what problems?

Please see the below thread, then attach a current HJT log.
http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Not that I know of, however, since my last post I installed web defender (which did not detect anything) as well as SpyDoctor - but neither is finding anything but cookies which are unrelated to the offending page. Moreoever, I ran another scan of my computer online (sorry, I should have bookmarked the page because I can't recall what service it was) and it found something called: Snatchkey - indeed, it had several events of this. It wouldn't remove it unless I purchased the program. I didn't purchase it.
I downloaded HijackThis and ran the scan and it found the offending webpage - but I haven't removed it yet because I wanted someone with more knowledge than I to look at the log file to see if they could find out where this "snatchkey" thing is so I could delete that too. I don't see it....

Anyway, am I allowed to upload the log file here?

 

Yes, I requested you to attach the log.

 

Thank you-

Here's the log. I tried to delete the offending webpage (I checked off the box next to the webpage and clicked on Fix Checked - But when I did another scan - It Was Still There!!!) I made sure I didn't have any browsers open when I did the scan/fix. Does this mean something bad?

Below you will find the results of the scan. I also attached the start up list.

I really - REALLY appreciate your help. Thank you so much!

Edit by bjgarrick: Inline log attached!

 

lrs52200,

Your HJT is not installed properly, please follow the instructions given.

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

After you have completed the above steps to relocate HJT, run it from the new location. Please save your HJT log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

I hope I did this right....

 

Have HJT fix the below entry..

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=B uttonwww


Please see the below threads...

• Running WinPfind by OldTimer
• Using GetRunKey
• Using ShowNew

Once you have followed each thread you should attach these three logs to your next post.

• WinPFind.txt
• runkey.txt
• newfiles.txt

 

I had HJT remove the file. Forgive my ignorance, but I have to ask this: When I clicked on fix - I rescanned, and it was there again. Did I do something wrong? I clicked on fix again, and didn't rerun the scan.

Here are the other text files:

 

Your logs look good to me!

Run CCleaner to clean up cookies and temp files.

After you have ran CCleaner, fix the entry with HJT again if it exist then proceed to this last step.

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.